CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27025
https://notcve.org/view.php?id=CVE-2023-27025
An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server. • https://gitee.com/y_project/RuoYi/commit/432d5ce1be2e9384a6230d7ccd8401eef5ce02b0 https://gitee.com/y_project/RuoYi/issues/I697Q5 • CWE-494: Download of Code Without Integrity Check •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-48114
https://notcve.org/view.php?id=CVE-2022-48114
RuoYi up to v4.7.5 was discovered to contain a SQL injection vulnerability via the component /tool/gen/createTable. • https://gitee.com/y_project/RuoYi/issues/I65V2B • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38241
https://notcve.org/view.php?id=CVE-2021-38241
Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework. Un problema de deserialización descubierto en Ruoyi anterior a 4.6.1 permite a atacantes remotos ejecutar código arbitrario a través de un cifrado débil en el framework Shiro. • https://www.du1ge.com/archives/CVE-2021-38241 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-4566 – y_project RuoYi GenController sql injection
https://notcve.org/view.php?id=CVE-2022-4566
A vulnerability, which was classified as critical, has been found in y_project RuoYi 4.7.5. This issue affects some unknown processing of the file com/ruoyi/generator/controller/GenController. The manipulation leads to sql injection. The name of the patch is 167970e5c4da7bb46217f576dc50622b83f32b40. It is recommended to apply a patch to fix this issue. • https://gitee.com/y_project/RuoYi/commit/167970e5c4da7bb46217f576dc50622b83f32b40 https://gitee.com/y_project/RuoYi/issues/I65V2B https://github.com/luelueking/ruoyi-4.7.5-vuln-poc https://vuldb.com/?id.215975 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-707: Improper Neutralization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4348 – y_project RuoYi-Cloud JSON cross site scripting
https://notcve.org/view.php?id=CVE-2022-4348
A vulnerability was found in y_project RuoYi-Cloud. It has been rated as problematic. Affected by this issue is some unknown functionality of the component JSON Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. • https://gitee.com/y_project/RuoYi-Cloud/issues/I5IRC8 https://vuldb.com/?id.215108 • CWE-707: Improper Neutralization •